Fingerprinting BitTorrent Traffic in Encrypted Tunnels Using Recurrent Deep Learning

Torrent connection blocking inside institutional networks can be bypassed using VPN and proxies, allowing Bit-Torrent applications to tunnel connections to a remote server. Consequently it has become extremely challenging to classify application traffic without resorting to stateful deep flow or deep packet inspection techniques. As an alternative, we present a deep learning implementation that takes a featureset based on the statistical behavior of TCP tunnels proxying BitTorrent traffic, transforms it to multiple timestep sequences, and uses it to train a recurrent neural network. Our work demonstrates an RNN model and featureset that accurately determines the presence of tunneled BitTorrent connections with high accuracy, precision, and recall. We present how Bidirectional LSTM can improve binary classifier metrics when used over regular LSTM in classifying network traffic time sequences.